You are currently viewing When the Shore Side Falls: Dissecting the Anubis Ransomware Attack on the Adriatic Port Authority

When the Shore Side Falls: Dissecting the Anubis Ransomware Attack on the Adriatic Port Authority

Maritime Threat Craft #2

The Anubis ransomware group’s attack on the Adriatic Port Authority, the “Autorità di Sistema Portuale del Mare Adriatico Centrale [operator of the Port of Ancona], was not a sophisticated OT intrusion. No ECDIS was touched. No ballast management system was manipulated. No integrated bridge system received a command it shouldn’t have. The publicly reported activity [attackers] remained within shore-side IT infrastructure:

  • Office 365 accounts
  • Azure management layers
  • Windows endpoints
  • and whatever unpatched internet-facing services happened to be in scope.

And yet the operational consequences were real and immediate. Cargo processing halted, vessels rerouted, regional supply chain throughput disrupted.

That is the threat model maritime security practitioners need to internalize. The attack surface that matters is not just the OT stack on the vessel. It is the digital scaffolding that makes a port function: the logistics platforms, customs processing systems, shipping schedule databases, and workforce management applications that sit entirely in IT but whose failure cascades directly into the physical domain. Understanding how an adversary thinks about that scaffolding [and how they exploit it] is the purpose of this analysis.

Article content
A conventional ransomware chain becomes maritime disruption when shore-side trust systems fail.

What made this maritime?

The maritime relevance is not the malware family. It is the dependency chain. Anubis did not need bridge-system access, crane-control access, or vessel OT access to create maritime consequence. The leverage sat in shore-side trust functions: cargo status, customs workflow, berth and schedule coordination, employee access, and operational documentation. Those systems are administratively classified as IT, but operationally they behave as maritime control points.


Anubis is a financially motivated ransomware-as-a-service (RaaS) operation. Its objectives are not strategic in the nation-state sense. The primary objective was monetization, not strategic pre-positioning. But the stolen dataset can retain intelligence value long after the extortion event ends. The objective is monetization, structured around a double extortion model: encrypt systems to deny access, exfiltrate data to maximize pressure, demand payment under a timed deadline, and follow through on data release if refused.

The group emerged in December 2024, publicly launched its affiliate program on the RAMP (Russian Anonymous Marketplace) cybercrime forum in February 2025, and operates under the alias “superSonic” on RAMP and “Anubis__media” on XSS and Exploit underground forums. By the time it listed the Adriatic Port Authority on its data leak site in January 2026, the group claimed revenues exceeding $20 million. A figure consistent with a mid-tier RaaS operation running at scale across multiple verticals.

What sets Anubis apart within the current RaaS ecosystem is its tiered affiliate compensation structure. Rather than a standard revenue split, the group advertises differentiated cuts: 80% to affiliates deploying ransomware, 60% for data-only extortion operations, and 50% for initial access brokers (IABs) providing network footholds without executing the payload. This structure explicitly incentivizes IABs to bring maritime and critical infrastructure targets into scope, because the group actively purchases stolen corporate data of 40 GB or more from enterprises in the US, Canada, EU, and Australia. Provided the data has not previously appeared in open sources.

The port authority as a target serves the financial objective in a specific way. Maritime operators are under intense operational pressure: cargo dwell time, port call turnaround, customs clearance windows. All of these are measured in hours, not days. When core logistics systems become inaccessible, the pressure to pay accelerates faster than in a typical enterprise environment. The adversary understands this. The $10 million Bitcoin ransom demand, delivered with a seven-day countdown and a threat to publish stolen data, was calibrated for that pressure.

There is a secondary dimension worth noting for the practitioner: the data Anubis extracted from the port authority included safety plans and information about security operations. Resecurity, the threat intelligence firm whose analysis anchored reporting on this incident, explicitly flagged that this category of data carries value far beyond the ransomware context. Ιt is precisely the kind of intelligence that organized crime groups involved in smuggling, contraband, and insider recruitment would pay to access. The ransomware attack may have had a purely financial objective, but the stolen dataset has a longer tail.


Target Selection Logic

Article content
Anubis valued reachability, pressure, and leverage — not maritime complexity.

The Adriatic Port Authority was not targeted because an Anubis affiliate had specialized knowledge of maritime infrastructure. It was targeted because it exhibited the profile characteristics that Anubis [and the RaaS ecosystem] broadly uses to identify accessible, high-pressure targets.

  1. Digitalization without maturity. Port authorities have undergone rapid digitalization over the past decade. Cargo tracking, customs processing, vessel scheduling, and workforce systems are now entirely platform-dependent. But the pace of digitalization has consistently outrun the pace of security investment. Resecurity’s assessment is direct: IT systems in the port segment are “extremely outdated and lack cybersecurity maturity,” and most ports remain unprepared for large-scale systemic cyber incidents. This is not an assessment unique to the Port of Ancona, it describes the sector condition.
  2. Internet-facing surface exposure. Anubis affiliates conduct reconnaissance against internet-facing services before committing to a target. The group’s documented initial access vectors include SonicWall VPN appliances operating without MFA, Cisco SSL VPN endpoints, SolarWinds Web Help Desk instances vulnerable to CVE-2025-26399, and CitrixBleed 2 (CVE-2025-5777). Any organisation running these systems without current patch levels and MFA enforcement is visible from Shodan and Censys scans. Port authority IT infrastructure [which typically includes remote management portals, vendor connectivity gateways, and cloud management interfaces] creates significant external exposure that is trivially enumerable by an IAB doing pre-targeting reconnaissance.
  3. Cloud misconfiguration as an attack surface. The Adriatic attack was executed through weaknesses in Office 365 and Azure account management. This is a consistent pattern in modern ransomware operations: cloud identity stores that lack conditional access policies, legacy authentication protocols still enabled, service accounts with excessive permissions, and MFA gaps in hybrid environments create pathways that bypass traditional perimeter controls. Port authorities that migrated to cloud productivity platforms without correspondingly maturing their identity security posture created exactly this exposure.
  4. Workforce as the weakest node. The affiliate responsible for initial access specifically targeted employees of the company managing the port authority not port operations staff directly, but the administrative and management workforce with privileged access to production systems. From the adversary’s targeting logic, this makes sense. Shore-side administrative staff typically have broader Active Directory privileges than operational staff, operate on general-purpose Windows endpoints with email and browser exposure, and receive security training that is less rigorous than vessel crew training (itself often inadequate). The human attack surface in the port management environment is large and soft.
  5. Geopolitical and geographic context. The Port of Ancona sits on Italy’s central Adriatic coast and serves as a primary gateway for cargo and passenger traffic between Italy and the Western Balkans [Albania, Greece, Croatia, Montenegro]. It handles approximately 10 million tonnes of cargo annually and is a significant node for Ro-Ro, container, and passenger ferry operations. This geographic and commercial position means that disruption at Ancona has cascading effects across the Adriatic corridor. An adversary [criminal or state-aligned] targeting maximum regional economic disruption would identify Ancona as a high-leverage node. Resecurity’s observation that nation-state actors could use identical TTPs for gray-zone operations is not speculative. It reflects a documented convergence between RaaS tradecraft and hybrid warfare methodology that practitioners need to track.

Access Sequencing

The initial access vector was a spear-phishing email containing a malicious attachment, delivered to employees of the company managing the port authority. This is consistent with Anubis’s documented methodology and with the broader affiliate-sourced access model.

Understanding the access sequencing in this attack requires separating three phases: initial foothold establishment, credential harvesting and privilege escalation, and lateral movement to target systems.

Phase 1 – Initial foothold. The spear-phishing email exploited the most consistently reliable initial access vector in the sector: the human endpoint. In a port authority environment, the employees most likely to be targeted are those with visible roles: procurement officers, port captain administrative staff, HR and payroll administrators, and IT helpdesk personnel. These roles are often identifiable through publicly available port authority websites, shipping industry directories, LinkedIn profiles, and regulatory filings. An affiliate with even basic OSINT capability can construct a plausible pretexting scenario [a shipping agent inquiry, a regulatory compliance request, a payroll discrepancy notice] that warrants opening an attachment. The Adriatic port authority’s workforce represents a broad and accessible spear-phishing surface.

The malicious attachment’s execution would have established an initial foothold within the Windows environment. Anubis’s documented toolkit includes capabilities consistent with a staged loader architecture: the initial payload establishes persistence and beaconing, then pulls additional tooling based on environment reconnaissance. Trend Micro‘s binary analysis identified the payload as employing ECIES (Elliptic Curve Integrated Encryption Scheme) for file encryption, implemented in Go using a publicly available ECIES library. The same library and implementation pattern appears in the EvilByte/Prince ransomware family, which is a useful data point for practitioners building YARA or behavioral signatures. This is shared tooling lineage, not a bespoke cryptographic implementation, and detection content built against one family has a reasonable chance of generalizing to the other.

The practical defender consequence of ECIES specifically [as opposed to the AES-based symmetric schemes still common across the ransomware landscape] is that there is no shared-secret weakness to exploit. AES-based ransomware occasionally yields to key-recovery research when implementation errors produce reusable keystreams or weak per-file IVs. ECIES binds the decryption capability to an asymmetric keypair the operator controls outside the victim environment; absent an implementation flaw or key exposure, there is no realistic recovery path without the operator-controlled private key. For incident response planning, this means: budget for the assumption that payment is the only path to file recovery if backups fail, and weight your investment accordingly toward backup immutability rather than toward the (low) probability of a public decryptor appearing.

Phase 2 – Credential harvesting and escalation. From the initial foothold, the affiliate moved to credential harvesting. In an Office 365 and Azure-integrated environment, this phase is particularly consequential. Once an adversary has a foothold on a domain-joined endpoint with cached credentials, standard post-exploitation tooling can extract LSASS memory for NTLM hashes, query the Windows Credential Manager for stored credentials, and enumerate Microsoft Entra ID (formerly Azure Active Directory) tenant configuration for service principals, app registrations, and federated identity providers. If the compromised account held even Global Reader permissions, the attacker could enumerate the entire tenant’s role assignments and identify the shortest path to a Global Administrator or Privileged Role Administrator account.

Article content
One compromised identity can turn port business data and cloud control into the same attack surface.

This is the structural failure this diagram is built to surface: in many shore-side port authority IT environments, there is no segmentation between the credential set that manages day-to-day productivity (mailboxes, document libraries, HR records) and the credential set that manages cloud infrastructure (virtual machines, storage accounts, app registrations). A single compromised identity with broad role assignment can pivot in either direction. Resecurity’s finding that the Adriatic intrusion exploited “insecure accounts managing Office 365/Azure” is consistent with exactly this flat-privilege condition. The same account that gave the attacker access to contracts and employee records likely also gave them visibility into broader tenant infrastructure, even though the documented impact stayed within the data and endpoint domain.

QEMU-based VM abuse has appeared in current ransomware tradecraft adjacent to this ecosystem, and it belongs in the hunting model for port environments even if it is not publicly confirmed as part of the Adriatic intrusion. Deploying a lightweight QEMU virtual machine on a compromised host creates an isolated execution environment that is invisible to endpoint detection and response (EDR) tools operating at the host OS level. The attack tooling [lateral movement utilities, credential harvesters, encryption preparation stages] can operate inside the VM without triggering EDR telemetry on the host. This technique, independently documented by Sophos researchers in the context of related RaaS campaigns leveraging SonicWall vulnerabilities, represents a meaningful evasion capability that degrades detection probability in environments running standard EDR products without network-level behavioral analytics.

The mechanics worth understanding: QEMU’s system emulator binary [qemu-system-x86_64.exe on Windows] can be dropped onto a host and used to boot a minimal Linux guest image in seconds. From inside that guest, the attacker has a fully functional, internet-routable execution environment that shares the host’s network adapter via a bridged or NAT configuration but presents no process tree, no file writes, and no API call surface to host-based EDR. Because as far as the hypervisor’s host process is concerned, the only activity is a single long-running QEMU process making routine memory and disk I/O calls. Tooling executed inside the guest [credential dumpers, SMB enumeration scripts, exfiltration utilities] generates network traffic that looks, to the host, identical to ordinary QEMU disk-image I/O.

Phase 3 – Lateral movement to target systems. With escalated credentials, the attacker moved laterally across the port authority’s IT infrastructure to reach systems managing cargo tracking, shipping schedules, and customs processing. In a port authority environment, these systems are likely to include Terminal Operating System (TOS) components, port community system (PCS) interfaces, and customs messaging gateways. All of which are functionally IT applications, not OT systems, but whose operation has direct physical-domain consequences. The attack did not need to touch any OT or maritime-specific technology stack. The IT targeting was sufficient.

The fact that insecure accounts managing Office 365 and Azure were the documented exploitation pathway suggests that the lateral movement phase leveraged cloud management credentials harvested from the initial foothold. Likely a Global Admin or privileged role account whose credentials were cached or reused across endpoints. This is a consistent pattern: shore-side port authority IT environments often have flat privilege structures where administrators manage both operational applications and cloud tenancy from the same credential set.


Persistence and Dwell

The initial compromise occurred on December 11, 2025. Attribution to Anubis was established publicly in January 2026, a gap of approximately four weeks. The data leak site listing appeared in mid-January. This timeline implies a dwell period of several weeks between initial access and encryption deployment.

In a shore-side IT environment, dwell period tactics are more conventional than in a vessel OT environment. The adversary does not face the connectivity constraints, protocol limitations, or air-gap architectures that complicate persistence in shipboard systems. What dwell looks like in this environment:

  1. Persistence mechanisms. Anubis employs valid account usage as its primary persistence mechanism. A deliberate choice that minimizes artifact creation. Using harvested credentials to authenticate normally to systems generates authentication logs that blend with legitimate traffic. In an environment without behavioral analytics capable of detecting authentication anomalies (unusual access times, source IP changes, atypical resource access patterns), this persistence is essentially invisible to routine log review. Scheduled task creation and Windows service registration have also been observed in Anubis-adjacent campaigns, providing execution persistence that survives credential rotation if defenders do not identify and purge all access vectors.
  2. Reconnaissance during dwell. The dwell period served a reconnaissance function: mapping the environment, identifying backup systems and their connectivity, locating data repositories of highest extortion value, and staging exfiltration before encryption. The safety plans and security operations data that appeared in the leaked dataset required deliberate identification and targeting during this phase. The adversary had to navigate the file system and network shares to find this material. That navigation takes time and generates telemetry that an instrumented environment would detect.
  3. Pre-encryption preparation. Before deploying the encryption payload, Anubis affiliates typically attempt to disable backup connectivity, terminate security processes, and clear event logs. Anubis samples analyzed by Trend Micro document a privilege check gate, the binary verifies administrative privileges before executing its most destructive functions, followed by a specific shadow-copy purge command:
vssadmin delete shadows /for=norealvolume /all /quiet

This is worth committing to memory as a detection primitive in its own right. The “/for=norealvolume” flag is an unusual construction, most legitimate administrative shadow-copy cleanup targets a specific drive letter or volume GUID, not a placeholder non-volume. Any execution of vssadmin delete shadows with this exact flag pattern, or any shadow-copy deletion command invoked from a process spawned by an Office document handler [winword.exe, excel.exe, outlook.exe as a parent process], should be treated as a near-certain ransomware precursor rather than routine maintenance. In the Adriatic environment, the reliance on “outdated backup protocols” that slowed recovery suggests that backups were both shadow-copy dependent and reachable from the attacker’s session. An environment with properly segmented, immutable, offline backups would have a materially different recovery timeline regardless of whether shadow copies were purged.

One critical detail worth flagging: Anubis has documented wiper functionality that can be operator-activated. Trend Micro’s analysis identified command-line options within sampled binaries that, when invoked, cause the ransomware to permanently destroy file contents rather than encrypt them, making recovery impossible even after payment. In the Adriatic incident, this capability was apparently not activated. The port authority was able to restore from backups, and Resecurity described the impact as approximately 2% data loss. But the capability exists within the toolkit. Any port authority that assumes ransomware attacks are always recoverable from backups needs to account for the possibility of deliberate wiper activation by an affiliate motivated to maximize impact rather than maximize payment probability.


Objective Execution

Article content
Anubis executed for pressure: exfiltrate first, encrypt second, force payment through operational disruption.

The encryption event was the operational culmination of the dwell and preparation phases. When the payload executed, it propagated across the accessible network, encrypting files on endpoints and network shares using ECIES-based encryption. Systems supporting cargo tracking, shipping schedules, and customs processing became inaccessible. The port authority’s ability to process incoming and outgoing shipments collapsed.

The operational consequences were immediate and physical:

Vessels in the approach phase for Ancona were rerouted to alternative ports likely Ravenna, Bari, or Brindisi depending on cargo type and commercial arrangements. Rerouting a vessel in the Adriatic is not a complex navigation problem, but it is commercially costly. Repositioning fees, demurrage charges, revised berthing schedules, and consignee notification across the cargo manifest. For Ro-Ro and passenger ferry operators on the Ancona-Igoumenitsa, Ancona-Patras, and Ancona-Split routes, disruption extends beyond freight to passenger operations and vehicle logistics.

The seven-day payment countdown imposed by the ransom note was calibrated against this operational pressure. The adversary’s timing logic is straightforward. A port authority facing daily losses from halted cargo processing, vessel rerouting costs, and contractual penalties accumulates financial pressure that compounds faster than the recovery timeline for a system encrypted at scale. The $10 million demand represents a fraction of the projected operational losses if the disruption persisted for weeks.

The secondary objective [data publication as leverage] functions differently. The leaked dataset included contracts, employee records, and critically, safety plans and security operations documentation. Employee records create regulatory exposure under GDPR for an Italian public entity: the port authority faces potential enforcement action by the Garante Privacy in addition to operational recovery. Safety plans and security operations documentation, once circulated on Anubis’s Tor-hosted leak site (om6q4a6cyipxvt7ioudxt24cw4oqu4yodmqzl25mqd2hgllymrgu4aqd.onion), become permanently accessible to any actor with capability and intent. Including criminal networks operating smuggling routes through the Adriatic corridor, where the Port of Ancona is a primary transit point.

This is the dimension of the attack that matters beyond the immediate incident. Ransomware is increasingly the delivery mechanism for intelligence collection that has utility far beyond the extortion event itself. The operational security plans of a port authority are not just embarrassing if leaked, they are operationally useful to criminal and state-aligned actors who need to understand the physical security posture of the facility, checkpoint locations, shift patterns, and vessel screening procedures.


Defender Implications

Model port-community trust explicitly. A port authority compromise does not remain inside the authority if its systems exchange data with shipping agents, terminal operators, customs brokers, ferry companies, logistics providers, vessel operators, or public-sector agencies. Defenders should inventory which external parties can submit, modify, approve, or consume operational data through PCS, TOS, email, API, SFTP, or portal access. The question is not only “what systems were encrypted?” It is “which maritime decisions depended on data from those systems?”

The Anubis/Adriatic incident is instructive precisely because the attack did not require OT targeting, vessel-specific tradecraft, or maritime technology expertise. The adversary achieved physical-domain consequences through entirely conventional IT exploitation. This has specific implications for maritime security practitioners.

Reconceptualize the shore-side IT environment as maritime critical infrastructure. Port authority IT systems managing TOS, PCS, and customs interfaces are not enterprise IT in the generic sense. Their failure has consequences measured in vessel diversions, cargo demurrage, and supply chain disruption. They require the same asset criticality classification and network segmentation posture that you would apply to OT systems. Practitioners managing port security architectures should map every IT dependency that, if unavailable, generates operational consequences in the physical domain. That map defines your actual critical asset boundary.

Threat hunt specifically for QEMU deployment. The documented use of QEMU virtual machine abuse for defense evasion means that host-based EDR telemetry alone is insufficient. Detection requires network behavioral analytics capable of identifying anomalous east-west traffic patterns from hosts running unexpected hypervisor processes. A starting detection rule, in Sigma-style logic, adaptable to your SIEM:

title: Unexpected QEMU system emulator execution
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith:
      - '\qemu-system-x86_64.exe'
      - '\qemu-img.exe'
  filter_known_virt_hosts:
    ComputerName|in:
      - <list of approved virtualization/lab hosts>
  condition: selection and not filter_known_virt_hosts
level: high

Pair this with a network-layer correlation: alert on any host generating sustained outbound connections where the parent process is “qemu-system-x86_64.exe” and the host is not in your approved hypervisor inventory. This technique is not yet widely detected by default EDR configurations, which is precisely why it appears in current RaaS tooling. Build the rule before you need it, not after.

Hunt for the shadow-copy deletion precursor. The specific command construction documented in Anubis samples is distinctive enough to alert on directly:

title: Anubis-style shadow copy deletion via vssadmin
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith: '\vssadmin.exe'
    CommandLine|contains|all:
      - 'delete'
      - 'shadows'
      - '/for=norealvolume'
  condition: selection
level: critical

Layer a second, broader rule beneath it that catches the technique family rather than this one variant. Any vssadmin delete shadows /all /quiet invocation, any wmic shadowcopy delete, or any wbadmin delete catalog execution, correlated against parent process. If the parent is an Office application, a script host (wscript.exe, cscript.exe, powershell.exe), or a process with no prior baseline of administrative tool usage, escalate immediately, don’t wait for the encryption event to confirm the alert.

Treat cloud identity posture as your primary attack surface. The Adriatic attack succeeded through cloud account compromise. Office 365 and Azure management interfaces operated with insufficient access controls, consistent with the flat-privilege escalation path shown above. Practitioners managing maritime IT environments running Microsoft 365 should audit:

  • Conditional access policy coverage for all privileged roles. No exceptions for “legacy” service accounts.
  • Legacy authentication protocol status: SMTP AUTH, IMAP, POP. All should be disabled unless operationally required and compensated with additional controls.
  • Global Administrator and Privileged Role Administrator assignments. Reduce to minimum viable count, enforce phishing-resistant MFA.
  • Segregation between identities that hold Exchange/SharePoint data access and identities that hold Azure management plane [subscription, resource group, app registration] permissions. No single account should span both domains without break-glass procedures and just-in-time elevation.

Establish backup isolation as a non-negotiable architecture requirement. The Adriatic recovery was delayed because backup protocols were outdated and apparently accessible from the compromised environment. Backups connected to the domain [reachable via SMB shares authenticated with domain credentials] are not backups in any meaningful ransomware-resilience sense. Maritime IT environments must implement immutable backup targets [WORM storage, air-gapped tape, or cloud storage with object lock policies] and test restoration quarterly under timed conditions. Know your actual RTO for each critical system before the incident, not during it.

Build detection logic for the specific exfiltration window. In the Adriatic incident, the four-week dwell period before encryption included a deliberate exfiltration phase targeting safety plans and operational security documentation. This exfiltration generates detectable telemetry: large volume transfers from file servers to endpoints or external destinations, access to directories containing document classes not normally accessed by the account in question, and credential-authenticated access to SharePoint sites or OneDrive repositories outside normal working patterns. A starting query skeleton, in KQL form for Microsoft 365 / Sentinel environments:

OfficeActivity
| where Operation in ("FileDownloaded", "FileSyncDownloadedFull", "FileAccessed")
| where ObjectId has_any ("security", "safety-plan", "ISPS", "contingency", "operations")
| summarize FileCount = dcount(ObjectId), TotalEvents = count()
    by UserId, bin(TimeGenerated, 1h)
| where FileCount > 15 or TotalEvents > 50
| join kind=leftanti (
    OfficeActivity
    | where TimeGenerated < ago(30d)
    | summarize by UserId
) on UserId

The join against a 30-day historical baseline is the key element. It isolates accounts that are suddenly accessing sensitive document classes at volume with no prior access history, which is a stronger signal than volume alone. DLP policies scoped to sensitive document types [port security plans, operational procedures, personnel records] with alerting on bulk access events would create detection opportunity during the dwell phase. Before the encryption event, and before the exfiltrated material has any chance of reaching a leak site.

Actively threat hunt for IAB activity. Anubis’s affiliate program structure means that initial access may be sold to a broker who does not immediately deploy the payload. Between IAB access and affiliate payload deployment, there is a window [potentially weeks] during which the adversary is present but inactive. Hunt for indicators of low-and-slow reconnaissance: LDAP enumeration queries from unusual source accounts, WMI or PowerShell remote execution from endpoints not normally used for remote management, authentication patterns showing off-hours access to document repositories, and new scheduled task registrations that do not correspond to known change tickets.

Understand the intelligence value of your own data. The port authority’s safety plans and security operations documentation reached Anubis’s leak site. For maritime practitioners: classify your data by its downstream intelligence value to criminal and state-aligned actors, not just by its regulatory sensitivity. Cargo manifests, vessel arrival and departure schedules, berth allocation records, physical security overlays, and customs processing workflows all have intelligence value beyond their operational function. That classification should drive access control decisions.

Track the threat escalation trajectory. Resecurity projects that attacks against port authorities and maritime operators will intensify markedly through 2030. Driven by geopolitical tensions, expanding digital connectivity in vessel and port environments, and the maturation of the RaaS affiliate ecosystem. The IACS UR E26 and E27 cybersecurity requirements impose baseline security standards on newbuild vessels from 2024, but shore-side port infrastructure is governed by a patchwork of national regulations with inconsistent enforcement. The attack surface for RaaS affiliates and the nation-state actors who observe their TTPs closely is widening, not narrowing.


MITRE ATT&CK Mapping (Selected Techniques – Adriatic Incident)

Article content
The Adriatic incident mapped conventional IT compromise to maritime operational consequence.
  • T1566.001 – Spearphishing Attachment – Initial Access
  • T1190 – Exploit Public-Facing Application – Initial Access (IAB sourcing)
  • T1078 – Valid Accounts – Persistence / Defense Evasion
  • T1068 – Exploitation for Privilege Escalation – Privilege Escalation
  • T1003.001 – OS Credential Dumping: LSASS Memory – Credential Access
  • T1021.002 – Remote Services: SMB/Windows Admin Shares – Lateral Movement
  • T1562.001 – Impair Defenses: Disable or Modify Tools – Defense Evasion
  • T1564.006 – Hide Artifacts: Run Virtual Instance (QEMU) – Defense Evasion
  • T1005 – Data from Local System – Collection / Exfiltration
  • TT1485 – Data Destruction – Impact
  • T1486 – Data Encrypted for Impact – Impact
  • T1490 – Inhibit System Recovery (shadow copy deletion) – Impact
  • T1491 – Defacement / Ransom Note Delivery – Impact

Incident Timeline

Article content
The Adriatic incident unfolded as a conventional IT intrusion with maritime operational consequences.
  • December 11, 2025 – Initial compromise – spear-phishing delivers foothold
  • December 2025 (ongoing) – Dwell period – reconnaissance, credential harvest, exfiltration of safety plans and employee records
  • December 2025 / January 2026 – Encryption payload deployed – cargo systems, scheduling, customs processing rendered inaccessible
  • January 13–14, 2026 – Anubis lists Adriatic Port Authority on data leak site; $10M Bitcoin ransom demand with seven-day deadline
  • January 2026 – Breach publicly attributed; port authority issues statement; incident response engaged
  • June 11, 2026 – Resecurity publishes detailed threat intelligence analysis of the incident

Technical Appendix: Anubis Infrastructure and Negotiation Mechanics

For practitioners building threat intelligence profiles, the operational backend behind the Adriatic incident has several documented characteristics worth tracking.

Forum presence and attribution signals. Anubis operators maintain parallel personas across two Russian-language cybercrime forums: “superSonic” on RAMP (Russian Anonymous Marketplace) and “Anubis__media” on XSS and Exploit. Both accounts post exclusively in Russian. On February 23, 2025, “superSonic” advertised a restructured affiliate program on RAMP, explicitly noting that all revenue-share figures were negotiable for long-term cooperation. A recruitment posture aimed at retaining skilled affiliates rather than running a fixed-rate marketplace. Negotiation activity, leak-site updates, and hands-on attack operations cluster around Moscow Standard Time business hours, and ransom notes and binaries contain Russian-language strings and occasional Cyrillic characters left uncleaned in the code. The standard combination of indicators threat intelligence teams use to assess CIS-region operator origin, though this remains an assessment rather than confirmed attribution.

Targeting exclusions. Anubis has publicly stated it excludes CIS-region states, educational institutions, government bodies, and non-profit organizations from targeting [a now] standard self-imposed restriction across Russian-speaking RaaS operations, generally read as an operational security measure to avoid domestic law enforcement attention rather than an ethical constraint. Port authorities are quasi-governmental in many jurisdictions; the Adriatic Port Authority’s status as an Italian public entity did not trigger this exclusion, which tells practitioners that the exclusion list is narrower than “anything government-adjacent”. It is specifically calibrated to avoid direct domestic-state friction, not to avoid critical infrastructure generally.

The three-track affiliate economy. The structure is more granular than a simple ransomware RaaS: a traditional deployment track (80% to affiliate, 20% to Anubis), a data-only extortion track for affiliates who already hold stolen data and want monetization-as-a-service (Anubis requires the data be under six months old and not previously published, in exchange for a share of extortion proceeds), and an access-resale track for initial access brokers who sell footholds without further involvement. This tripartite structure is precisely why a single ransomware “group” can appear behind incidents with very different technical signatures. The hands-on intrusion specialists, the data monetization specialists, and the access brokers may never be the same individuals, and an IAB who sold access to the Adriatic Port Authority’s network may have had no further involvement in the encryption event or negotiation.

Lead generation as published content. Anubis prepares a detailed, investigative-article-style write-up for each victim, built from the exfiltrated data, before publication. This write-up is initially posted to the group’s Tor-hosted leak site in hidden mode. Accessible only via a direct link shared privately with the victim during ransom negotiations, functioning as proof of compromise and a pressure tool simultaneously. If negotiations fail or the deadline lapses, the article [and the underlying file tree] is made publicly downloadable. The ransom note dropped on encrypted systems is a static HTML file named RESTORE FILES.html. Victim communication during negotiation has been documented via the email aliases “anubis@mailum[.]com” and “anubis20@firemail[.]de”, though the group represents itself as willing to negotiate data removal from the leak site even after publication. A claim threat intelligence analysts should treat as a negotiation tactic rather than a guarantee, since data removed from a leak site has no verifiable assurance against prior copying or onward sale.

Leak site operational status. The group’s Tor hidden service [catalogued by RansomLook at the address listed in the sources below] has maintained roughly 87% uptime over rolling 30-day windows, posts new victims at a rate of approximately ten to fifteen per month, and is protected by a CAPTCHA gate. Standard infrastructure hardening against automated scraping by takedown services and researchers. Practitioners running dark web monitoring programs should track posting cadence as a leading indicator: a sudden increase in posting frequency from a tracked group often precedes or accompanies an affiliate recruitment push, which in turn precedes a wave of opportunistic targeting against whatever internet-facing vulnerability the new affiliate cohort has been equipped to exploit.


The Adriatic incident does not exist in isolation. The maritime port sector has absorbed a series of ransomware attacks over the past decade that collectively define the threat pattern:

Article content
Across a decade of port ransomware, the pattern is consistent: conventional IT compromise becomes maritime operational disruption.
  • NotPetya’s 2017 destruction of Maersk’s global IT infrastructure [including its terminal operating systems] resulted in $200-300 million in losses and required a ten-day recovery operation involving reinstallation of approximately 45,000 PCs and 4,000 servers. That attack was nation-state attributed (Russia/Sandworm), demonstrated the physical consequences of maritime IT disruption at global scale, and served as the proof-of-concept that the RaaS ecosystem subsequently adopted for port targeting.
  • LockBit 3.0’s 2023 attack on the Port of Nagoya’s NUTS (Nagoya United Terminal System) halted container cargo operations for two days and disrupted Toyota’s supply chain.
  • A 2026 attack on the Port of Vigo, Spain [operator unknown at time of writing] forced manual cargo operations as digital systems failed.

The pattern: maritime ports are consistently accessible through conventional IT attack vectors, consistently lack mature detection and response capabilities, and consistently face operational pressure that accelerates payment decisions. Anubis affiliates operating against the Adriatic Port Authority were executing a playbook that the threat intelligence community has documented across dozens of incidents. The TTPs were not novel. The targeting logic did not need to be sophisticated. It only needed to align with how port operations actually depend on digital trust.

That effectiveness is the practitioner’s problem to solve.


Sources and Further Reading

Maritime Threat Craft is an independent LinkedIn article series written for maritime IT/OT security practitioners. Series identity: Adversary Thinking for Maritime Defenders. It is published by Alexandros Engelen, a Cybersecurity Strategist, specializing in Maritime Cyber Risk.